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Abstract 

One of the most common control mechanisms for authenticating users of 
computer-based information systems is the use of passwords. However, despite the 
widespread use of pa.sswords, only little attention has been given to the characteristics of 
their actual use. 

This paper addresses the gap in evaluating the characteristics of real-life 
passwords and presents the results of an empirical .study on passwords usage. It 
investigates the core characteristics of user-generated passwords in a DoD environment 
and associations between those variables. 



CR Categories and Subject Descriptors : 

D.4.6 [Security and Protection]: ticcess control; authentication. 



General Terms: 



Computer security, passwords. 






Introduction 

The proliferation of computer technolog)' has bred opportunities for ill- 
intentioned individuals to violate the integrity and validity of computer-based 
information systems. At the same time, a growing dependence on computer-based 
information systems creates an urgent need to collect information and render it 
accessible. 

A fundamental access control method in any computer-based information system 
is the ability to authenticate the identity of a system user. While research continues on 
more sophisticated methods of authentication, pa.ssword mechanisms remain the 
predominant method of authenticating users of computer-based information systems 
[2, 6, 9, 10, 12, 15, 18. 21, 23]. A pas.sword is a mutually agreed upon code word, 
assumed to be known only to the user and the operating system. In some cases ti 
password is chosen by a user while in other cases it is generated and assigned by the 
security kernel of the operating .sy.stem. The length and format of pas.swords var)' from 
one information system to another [6. 8, 12, 18]. 

Passwords are known to suffer from se\’eral pitfalls. First, the tradeoff between 
memorability and safety poses a difficult dilemma in the generation of passwords. 
Passwords should be difficult to guess and easy to remember [8, 11, 18, 19, 25]. For 
passwords to be difficult to guess, they should be selected from a large domain. 
Nevertheless, if passwords are chosen to make them difficult to guess, they may also be 
difficult to remember. The most secure type of pas.swords is a random string of 
characters [3, 19 . 24]. Although such pa.sswords are difficult to guess by others, users 
generally dislike them as random, arbitrar)', pa.s.swords are difficult to remember. 
Instead, most users will resort to meaningful dettiils, such as name, nickname, initials. 
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birihdate, and so on [3, 15]. 

A password that is difficult to remember compels a user to write it down, 
ensuring they will not forget them but compromising its secrecy [17], On the other 
hand, if a difficult password is not written down, it may well be forgotten, resulting in 
serious inconvenience [2, 19]. Tlierefore, an organization should establish a password 
policy that strikes a balance between ease of remembrance and susceptibility to 
compromise [24], 

Despite the widespread use of passwords, only little attention has been given to 
the characteristics of their actual use. A unique effort to reveal the characteristics of 
passwords used in a real-life system was presented in 1979 hy Morris and Thompson 
[14]. Their paper described the basic characteristics of user-generated passwords in a 
UNIX environment and analyzed the level of security provided by these passwords. No 
follow-on research or additional empirical work on password usage and characteristics 
have been reported ever since. This paper addresses the gap in evaluating the 
characteristics of real-life passwords and presents the results of an empirical stud\ on 
passwords usage. 

Research Method 
Source of the Data 

To assess pas.sword practices and experiences, questionnaires were sent to 
graduate students and faculty and staff members at the Nti\-a! Posigrtiduate School in 
Monterey, California. 

At the Naval Postgrtiduate School, uhich is ti mantigenient tuul engineering 
eraduate school, both students and ft. ctdiy htive ttccess to th-^ ctunpu-- computing cenicr^ 
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mainframe without user charges. The mainframe can only be accessed with a 
combination of a user-id (assigned by the computing center) and a user-generated 
password. Once access to the school’s mainframe has been granted, a user is provided 
with an immediate access to a large variety of computing resources within the 
Department of Defense (DoD) through the DoD communications network. 

This surs'ey, however, was not limited to questions about password practices to 
access the campus mainframe. Users were also asked about the way they employed 
pas.swords on the school’s departmental minicomputers, instructional PC networks linked 
to the mainframe and computer-based information systems at other institutions. 

Instrumentation 

The questionnaire asked for responses in four major areas: user demographics, 
password characteristics, password memorability and the importance and sensitivity of 
user data files. Appendi.x A contains the entire questionnaire. 

Demo};rnphic items: Age. sex and organizational affiliation (department or 
academic curriculum). 

Pcmw'ord characteristics: The number of characters in a password, its structure 
(alphabetic, numeric, alphanumeric or ASCII) and the basis for choosing a pas.sword. 
How a password was chosen means whether it was based on a personally meaningful 
detail (user’s last name, first name, nick name, child’s name or some other easily 
recalled bit of personal, biographical information), a combination of meaningful details 
(B1LL89 or LOVEM.AR't'), a pronounceable string of characters (2BFREE), string of 
random cluiracters (1 1*DGF1 181 1; or some other basis. 
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Password Memorability and Computer Usage Charactenstics: Difficulty in 
remembering a password (yes or no), if the password was written down (yes or no), and 
if so, where. Multiple choice options were provided for where it might be written dowm 
(wallet, notebook, calendar, desk, etc.). 

Importance and Sensitivit}> of User Data Files: Users were asked to separately rate 
both the importance and the sensitivity of their data files on a scale of one to five. Data 
importance referred to the inherent value of the data to an individual user. Sensitivity 
means the degree to which problems would arise if the contents of their data files were 
known to others. To distinguish between importance and sensitivity of a data file, 
consider, for example, a data file containing the text of a student's graduate thesis might 
not be publicly sensitive but it would be of irredeemable \’alue to its author. By 
comparison, a professor's data file containing student course grades would have little 
inherent value but would highly sensitive to disclosure. Indeed, divulging such a list 
could N'iolate U.S. laws regarding pri\’acy of information. 

Sample Characteristics 

The questionntiires were distributed to IbOO students and 400 faculty and sttill 
members at the Na\’al Postgraduate School. The tpiestionnaires were distributed 
through the school's internal mail system. 097 questionnaires (49.9Cc) were returneti. of 
which 208 were from faculty/staff wlhle 789 were from students. 903 of the resj^ondcnts 
were males and 94 were females. The average tigc of the resjiondents was 34. rtmging 
form 23 to 7b. Of these, 860 (43^.r) used ptissworcK and were includcti in the following 
analysis. 
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Findings 

Number of Characters in Password 

The average number of characters in a password, calculated from the password 
lengths in this study, w'as six. Figure 1 shows that passwords of five and six characters 
were nearly tied in popularity and 80% of the respondents used a 4-7 characters 
password. While the DoD recommends that passw'ords should be, at a minimum, six 
characters in length [5], 47% of the surx'eyed passw-ords failed to do so. Menkus [15] 
further supports this password length guideline and suggest that the ideal length is six to 
eight characters. 



Insert Figure 1 about here 



How Users Chose a Password 

As Figure 2 shows, users strongly preferred (78.4%) passwords made up from a 
meaningful detail or a combination of meaningful details. Examples of meaningful 
details are names, nickname, name of child, name of pet, name of spouse or birth date. 
The item has meaning for the person using it which should enhance its memorability. 
13.1% of the respondents did not answ’er this particular question. 



Insert Figure 2 about here 
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Structure of Passwords 

Figure 3 presents the structure of the surveyed passwords. 80.1% of the 
respondents preferred alphabetic structure for their passwords, where only 0.7% used 
the entire ASCII character set as a basis to constructing their password. 



Insert Figure 3 about here 



How Many M’rotc Down Ptissword 

Only 0,7% of the users reported having difficultly in remembering their password. 
However, 23.3% of the respondents wrote down their password. W'hen a user writes 
down a password, it is usually in an insecure location [22]. Once a password is written 
down it is no longer something known but become^ something possessed [10]. Setirching 
through a user’s notebook, desk, diary or users manual is a good means to discovering a 
password [2]. 

Where Password Is NN’ritten Down 

The DoD Password Management Guidelines [5] recommend that "If passwords 
must be written, they should be protected in n mtmner that is consistent with the 
damage that could be caused by their compromise" [5, p. 8], Figure 4 shows thtit. among 
the respondents who said they wrote down their password, the loctition of choice was the 
wallet (42.1%) followed by a notebook (21.3‘^7). 
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Insert Figure 4 about here 



Frequency of Changing Password 

While the periodic changing of a password is a basic security measure [5, 18], 
Figure 5 reveals that 79.5% of these users never changed their password. Less than 
.6% of them changed passwords more of than once a year. 



Insert Figure 5 about here 



Relationships Between PassNvord Characteristics 

Based on these findings, an attempt has been made to relate the variables under 
investigation to these findings. The rationale for this analysis was to find whether 
password memorability and ease of guessing are associated with variables assessed by 
this stirvey. Five resetirch qtiestions have been addressed; 

1) What variables are associated with a decision to write down a passw'ord. 

2) What factors are rehited to how' difficult a password is to remember. 

3) The variables that are related to the ease of gue.ssing a password. 

4) How the sensitivity of data are related to passw'ord selection. 

5) How the importance of data are related to password selection. 
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The null hypothesis (Mo) in all cases was that no association existed between the 
two items being tested. The cutoff point for rejecting a null hypothesis was a probability 
greater than .05 that the tested association could have happened by chance. Table 1 
portrays the various statistical tests for association that have been employed. The 
selection of the appropriate test depends on the nature of the variables under 
investigation [20]. All statistical computations were made with SPSS-X [16]. 



Insert Table 1 about here 



Writing down a password 

Responses to the question "do you write down, your password?" (a dichotomous 
response) were examined for their association with six x'ariables. It had been assumed 
that users write down a password if; 

1. It has a high number of characters in it (x’ariable called "Number"). 

2. The characteristics of the password make it difficult to 
remember, e.g. random siring or ASCII characters (\ariable 
called "Passw'ord"). 

3. It was poorly chosen (variable called "Chosen"). 

4. It is changed frequently (v’ariable called "Change"). 

5. It is difficult to remember (variable called "Remember"). 

6. It is not used frequently (x'ariabie called 'Log On"). 



Insert Table 2 about here 
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Table 2 shows that the assumption that users will write down a password if it has 
a high number of characters in it was not supported. This finding is not surprising. The 
number of characters in a password is expected to affect memorability. It follows that if 
a password is difficult to remember it is written down [2]. 

System-generated passwords typically consist of pseudo-random characters [15, 

24]. They, therefore, tend to be complicated, difficult to remember and lack popularity 
with users [24]. If a password is not easy to remember then users tend to write it down 
[2]. 83 users found it difficult to remember their passwords. However, 200 users felt it 
was necessarx' to write down their passwords. Users who perceive that they will not be 
using the computer-based information .system on a frequent basis may choose to write 
down their password for future reference. Users may write down their passw'ord simply 
out of habit. Or users may write down a password because frequent change requirements 
are too demanding for their mental capacity or desire to remember. More change 
increases the likelihood a password w'ill be forgotten. 

Table 2 also indicates that while there is not a strong association bctw'een writing 
dowm a password and its characteristics, it is statistically significant. The findings here 
demonstrate that the characteristics of a password have something to do with whether a 
user is moved to put it in writing. Here it was assumed that the characteristics of a 
passw'ord would affect its memorability which would lead to it being written down. 

These findings provide no confirmation for the assumption that frequent passw'ord 
changing would make it difficult to remember the current passw'ord w'hich would cause 
users to write down the password. The finding of a statistictilly significant association 
between difficulty remembering a password and whether it was written down supports 
previous research [2]. 
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The frequency with which a password is used was found to have a statistically 
significant relationship to whether it is written down. This supports the assumption that 
little use of a password to access a computer-based information system leads to the 
password being forgotten. If it is not forgotten the need to write it down is reduced. 

Difficultv Remembering a Password 

A second issue of interest were possible relations of a user’s difficulty to 
remember a password and a set of relevant varitibles. Responses to the question "do 
you have difficulty remembering a password ?" (a dichotomous response) were examined 
for their association with answers to six other questions. It had been assumed that users 
would have trouble remembering ti password if: 

1. It has a high number of characters in it (variable ctilled "Number"). 

2. The characteristics of the password make it difficult to 
remember, e.g. random string or ASCII characters (variable 
called "Password"). 

3. It was poorly chosen (variable called "Chosen"). 

4. It is not used often (variable called "Log On"). 

5. It is changed frequently (s'ariable called "Change"). 

6. It is not the same password used on other information systems 
(variable called "Stime"). 



Insert Table 3 about here 
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Barton and Barton [3] and Menkus [15] suggest that the ability to recall a 
password tends to decrease as length increases. It has long been accepted that people 
can remember expressions of about seven characters in length [13] with- a proposed 
password length being six to eight characters [15]. The findings shown in Table 3 do 
not support those suggestions. 

Table 3 also contains a finding that the characteristics of a password are 
associated with difficulty remembering it. As previous research revealed, an 
alphanumeric password chosen from meaningful detail is more easily remembered than 
passwords generated from pseudo-random combinations [24]. 

There was a finding of a significant association between the basis for choosing a 
password and whether it is difficult to remember. Users who choose their owm password 
are more likely to remember it [24]. Users will select from a simple domain of things 
meaningful to them, something from episodic memory [15, 24]. 

A significant and strong association was found between how often a password was 
used and how difficult it is to remember. This supports the asstimption that frequent use 
of a computer-based information system is related to password memorability. Table 3 
also shows a significant and strong association between frequent change of a password 
and how difficult it is to recall that supports previous research [22]. The frequency with 
which a password is changed may result from a password being difficult to remember, 
the suspicion that a password has been guessed or security consciousness. 

Finally, no relationship was fotmd between the use of the same password on 
several information systems and whether it was difficult to remember. 
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Predictability of a Password 

Passw'ord compromises have resulted from information on computer bulletin 
boards, guesses about personal vitae, environmental cues and systematic intrusions [3]. 
The predictability of a password is expected to be influenced by password characteristics, 
frequency of use and whether the password was written down, how often it is changed, 
frequency of using the computer-based information system and the work location of the 
user. 

Responses to the question "has your password been guessed?" (a dichotomous 
response) were examined for their association with answers to seven other questions. It 
was assumed that a password was predictable if: 

1. It had been written down (variable ctilled "Write"). 

2. It has a low number of characters in it (variable called "Number"). 

3. The characteristics of the password make it easy to guess (variable 
ctilled "Ptissword"). 

4. It was poorly chosen (\’tiriable called "Chosen"). 

5. It is used frequently (variable called "Log On"). 

6. It is not changed frequently (variable called "Change"). 

7. The user accesses the information system from a public terminal 
(\’ariable called "W’ork"). 



In.scrt Table 4 about here 
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Table 4 shows that there was no significant relationship between a password 
having been written down and whether the password was predictable. This finding is not 
in standing with previous research that suggests once a password is written down it 
becomes something possessed that can be stolen. 

Morris and Thompson [14] suggest that a shorter pas.sword means less work to 
do in a brute force attack to discover a user’s password. While this view is widely 
supported in the literature (Avarne [2], Hsiao [8] and Pfleeger [18] are just a few to 
mention), the findings in Table 4 do not support it. Those respondents thinking that 
their password might have been compromised, had not associated this compromise with 
the length of the password. 

Table 4 also shows that the characteristics of a password and its predictability, 
while not strongly associated, are statistically significant. The link here is that passwords 
chosen from a metmingful detail from the user's biography mtike a password predictable. 
This supports earlier resetirch. Relatively short passwords chosen from some form of 
meaningful detail and consisting of alphanumerics increase itredictability, Morris and 
Thompson [14] found thtit an intruder conducting a dictionar}’ search alone would 
require only five minutes to reveal tdxtut a third of the 3,269 passwords collected. 

How a password was chosen tind its predictability were found not to be 
significantly associated. This finding contradicts previous research. Morris and 
Thompson [4] suggest that passwords consisting of letters and numbers were more 
predicttible than passwords consisting of, say, than ASCII characters. 

There was no associtition in Table 4 between the frequency with which a 
password was used and its predictability. The literature on password security suggests 
that frequent use of a password increases its jmedicttibility [1, 2]. 
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These findings show that there was a strong association between the frequency’ 
with which a password was changed and its predictability. Most previous research 
supports the frequent changing of passwords to reduce predictability. Wood [24] asserts 
that passwords should be changed annually. Menkus [15] suggests ever\' 30 days. While 
changing a password is believed to be a sound security practice for information system 
access it also makes it difficult for a user to remember his or her current password. 

The findings here also show that where a user worked was related to the 
predictability of their pas.sword. A public terminal is clearly a more \mlnerable work site 
than the privacy of a faculty office or accessing the mainframe by modem from home. 
19% of the user worked at home and 16% worked from a private office. 51% worked at 
public terminals. Those who worked at home had the least predictable passwords. 

If a user had a predictable password, they were then asked why they thought it 
had been compromised. 239(: of the compromised users had data files that had been 
altered. 26% had unintentionally disclosed the password to others. 10%. had intentionally 
disclosed a password. 39.5% attributed their belief to other indictitors. 

Data Importance 

Data importance is an tissessment of how crucitil data files are. It had been 
assumed that datti rated as imjiortant would be surrounded with more security than data 
not rated as crucial [7]. Responses to the question "how important are your data?" 

(an ordintil response) were examined for their as'-ocitition with answers to six other 
questions. It had been assumed that if data files tire rated as being iniporttmt then; 

1. Passwords would not be written down (variable ctdled "Write"). 

2. Passwords would be longer Cvtiritible ctdled ".Number"). 

3. The chtirticteristics of the ptis'.word u'ould mtike it predicttible 



(variable called "Password"). 
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4. The password would be well chosen (variable called "Chosen"). 

5. The password would be changed frequently (variable called "Change"). 

6. The user would avoid accessing the information system from a public 
terminal (variable called "Work"). 



Insert Table 5 about here 



As can be seen from Table 5, there were no associations between data 
importance and password characteristics or the number of characters in a password. Tin's 
lack of association can be explained by understanding that when most users are issued a 
mainframe account, they have little anticipation of what kind of information they will be 
storing in their data files. 

Table 5 shows a significant association between writing down a password and how 
important were a user’s data files. Writing down ti password, of course, invites a 
compromise of computer-based information .system security. This finding contradicts the 
assumption that important dtitti would be treated with greater care. A security-conscious 
user will with important data files will not write down a passw'Ord for fear of it being 
lost. Once written down the degree of security is compromised. 

There was confirmation of the assumption that users take care to choose 
passwords that are difficult to predict for data they consider important. These findings 
also provided grounds for the assumption that users undertake the precaution of 
Irequently changing their passw'ords in order to protect important data. 
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There also was confirmation for the belief that users took care not to work from 
public terminals If they considered their data files to be important. 

Typically, if a user is working on an important data file they will do somewhere that is 
more secure than a public terminal room. 

Data Sensitivity 

Data sensitivity refers to the degree to which embarrassment or problems would 
result from the disclosure of the data. As with, the importance of data files, it had been 
assumed that as users rated their data as more sensitive, they would he more cautious in 
the use of the pas.sword that accessed them [7]. 

Responses to the question "how sensiti\e are your dtitti?" (an ordinal response) 
were examined for their association with answers to six other questions. It had been 
assumed that if users rated their data files as conitiining sensitive information then: 

1. They would not write down their pa.sswords (variable called "Write"). 

2. They would use longer passwords (varitible called "Number"). 

3. The characteristics of the password wouki make it predictable 
(variable called "Password"). 

4. The password would be well chosen (variable called "Chosen"). 

5. The password would be changed often (varitible ctilled "Change"). 

6. The user would ax'oid ticcessing the in, formation system from a jtubhc 
termintd (variable called "Work"). 

A secure password is one tiuit is relttti\’el\ long, mtide up (d rtmdom 
alphanumerics, is ea.sy to remembvr tind difficult t(. prvd.ct. 
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Insert Table 6 about here 



The results in Table 6 suggest that there were no associations between data 
sensitivity and whether a password was written down, how a password was chosen, 
password characteristics or the number of characters in a password. However, Table 6 
does contain a finding that the sensitivity of data files is related to how often pas.swords 
were changed. As with the importance of data files, users were making distinctions in 
their management of passwords to protect sensitive files. Finally, the findings here 
support the assumption that the sensitivity of data files is related to users’ work 
locations. Again, as with data file importance, users took precautions in how they used 
their passwords, i.e. not working on sensitive data where the password access might be 
observed by others. 

Discussion 

Passwords As An Effecti\c Access Control Mechanism 

Little of the literature on pas.sword security is empirically-based. The bulk of it 
consists of essays offering common-sensictil suggestions about how users ought to employ 
pas.swords based on widely-held assumptions about how they do employ them. The effort 
here looks at the empirical reality behind those assumptions. 

This paper points out that access control to a computer-based information .system 
is required at various le\’els in order to obtain a required level of security. At each level 
a certain amount of user identification, authentication and authorization must be 
verified. Passwords were found to be an effective means for such. Traditional passwords. 
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however, have some inadequacies. Morris and Thompson (1979) revealed some of the 
inadequacies of user-generated passwords in the pre-personal computer era. Some of 
these inadequacies included passwords relatively short in character length and passwords 
made up of some type of meaningful detail to the user making them easy to remember. 
Passwords that are easy to remember provide low levels of security. 

This empirical verification of password practices identifies the characteristics that 
affect password selection, memorability and predictability. Moreox'er, it brings to light 
that the importance and sensitivity of data files affect how password selection, 
memorability and predicttibility. 

From the descriptive findings, two stand out. Despite long efforts by information 
system professionals to inculcate users with proper pas.sword practices, this study found 
that users continue to choose short passwords mtide up mostly of easy-to-remember 
alphanumeric characters. 



Characteristics of L'ser-Cencraled Passwords 

This paper has shown that the chtiracteristics of user-generated passwords in the 
personal computer era have not changed much from those characteristics in the jire- 
personal computer era identified by Morris and Thompson [14]. User-generated 
pas.swords of toth:y still bear the chtiracteristics ol being made up of some type of 
meaningful detail to the user, rehitivcly short in length, matie ol alphabetic or 
alphanumeric characters and. in some cases, wiiiten down on paper, in general, they 
remain easv to remember tind simple in structure, llowewr, what luis changed is the 
user's attitude toward security on computer-b;isc(.i inlormtition system''. 1 he impetus ol 
computer security htis mtide tlie common u<er n ore pore to compute seciirit\ 
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requirements and more receptive to organizational administrative and technical security 
controls/procedures. 

Password Characteristics And Writing Dowti A Password 

Most users require memoiy' aids to help their recall [15]. The most common type 
of memory aid is writing a password down. This violates the basic tenet of password 
security. Topically, a password is written down if it is difficult to remember [2]. 
How'ever, passwords are also written down out of habit, from the perception that the 
password will not be used frequently or because .system change requirements are too 
demanding to remember each password. This research show'ed that passw-ord 
memorability affects whether a password is written down. 

The analysis of the relationships among the password variables produced both 
confirmations of some pieces of the conventional wisdom in regard to system security as 
well as some surprises. 

Among the confirmations were these: 

1. If a password was difficult to recall it was written dow'u. 

2. The more frecjiient a password w'as used, the le.ss it was written down. 

3. The more a pas.sword is used, the less difficult it is to remember. 

Among the surprises were the following: 

1. The length of passwords is not related to their being written dow'ii. 

2. Whether a passw'ord was chosen on a basis thtu helped its memorability or 
impeded it had no bearing on its being w'ritien down. 
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3. The length of passwords is not related to whether they are difficult to 
recall. 

4. Frequent changing of passwords, necessary to reduce password 
predictability, nonetheless hinders recall. 

5. The number of characters in a password is not related to its predictability. 

6. There was no support for the commonplace that alphanumeric characters 
make a password more predictable than ASCII characters. 

Many of the notable findings reported here are neither confirmations nor 
surprises because they introduce dimensions of password security heretofore not 
explored in the literature, e.g. data file intportance, dtua file sensitivity and work 
location, 

Password Characteristics and Password Memorability 

This research re\’ealed tlitit several password characteristics affect password 
memorability. The findings here th;u support previous resetirch were: 

1. Password chttracterisiics and how a pas'-word is chosen (meaningful detail, 
combination of metmingful dettiils, proiiounccable pti.sswords. etc.) affect password 
memorability. 

2. The frequency of changing a password, although it incretises the level of 
computer-based information .system security, hinders memorability. 

3. The frequence of ticcessing an informtition system, which may in many ctise^ 
hinder svstem security if the password is not changed, enhtinces password 



memorabililv. 
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Most noteworthy was the finding that password length was found not to have any 
effect on memorability, this can be attributed to the advent of pronounceable passwords 
(mnemonics) such as "2GOOD4U" and passphrases such as "I Love Paris In The Spring 
Time" (ILPITST) [3, 15]. 

Password Characteristics and Password Predictability 

Results of this research show that password predictability is strongly affected by 
the frequency of changing a password. As previous research purports, the greater the 
frequency of change the greater the level of system security. Although previous research 
suggested that passwords made of meaningful detail, relatively short in length and simple 
in structure leads to predictability, the findings of this study did not support that. A 
notable finding that is counter to prev ious re.search is that writing down a password was 
not found to affect pas.sword predictability. W'riting down a password violates the basic 
tenet of password security that holds that a password must be in the domain of 
something known. When a password is written down it moves into tlie domain of 
something po.ssessed. Entities in that domain are subject to being lost, stolen or put in a 
place lacking security. 

Password Characteristics And Sensitivity And Importance of Data Files 

Although previous research revealed very little on this area of interest, this 
research shows that data importance and sensitivity does affect certain characteristics of 
user-generated passwords. Hoffman [7] suggests tliat the level of security should be 
commensurate with the imi)ortance of the resources it protects. While many users did 
not rate their data files as either important or sensitive, the few that did were expected 
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to exercise sound password security principles for password selection and use. This study 
showed that how a password is chosen, the number of characters in a password and 
password characteristics (alphabetic, alphanumeric, ASCII, etc.) were not affected by the 
level of data importance or sensitivity. This finding can be understood by noting that 
most users were asked to devise a password when they were new system users, long 
before they could know how important or sensitive would be their data files. It can also 
be noted that some users, being new to mainframe computing, likely lacked information 
system security consciousness. 

Data importance and sensitivity were found to strongly affect where a user will 
work when using a computer-based information system. A security-conscious user 
working on sensiti\'e or important data files will typically work in a location that is 
private and secure. This research tilso revealed that the fretiuency of changing a 
password is affected by the level of dtita importance and sensitivity. A security-conscious 
user will choose to cluinge his or her password more frequently if they are protecting 
data files that are important or sensitive. 

Rccoimucndations 

Recoimucndalions for Secure Password Procedures 

The following recommendations are made bv Cooper [4], Morris and Thomiison 
[14] and Pfleeger [18] to improve the level of security/access camtrol pirovided by 
passwords: 

1. Ptissword^ should be longer. 

2. Passwords should he made ol mvaring'ul cLu; il to aid) recall. 

3. Passwords should coiiiain a mix ol ci'a: xjcters such as AS( 11 charactei 
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4. Passwords should be changed frequently. 

5. Passwords should not be written down. 

Although passwords are widely used, confidence in their capacity to provide 
adequate security for computer-based information systems is decreasing. 

While it is a fundamental tenet of information system security that passwords be 
changed frequently, almost 80% of the users surveyed in this research never changed 
their password. Fewer than 6% of them changed their passwords with any frequency at 
all. These findings prompt a need to look at the effectiveness of educational efforts to 
raise the security-consciousness of system users. 

Recommendations for Further Research 

Applications of passwords as a security mechanism htive not advanced as rapidly 
as information technology [9, 10]. The details of password system applications and their 
effectiveness warrant furtlter research. 

First, the information system community enjoys a surfeit of essays and non- 
empirical insights into what users ought to do about password prtictices. This communitv 
now will benefit from channeling some of its research efforts toward investigations of 
what users actually do with regard to password practices. 

Second, the information system would be well served if researchers in the field of 
system security replicated the procedures described here to challenge these findings in 
varv'ing user populations and under diverse organizationtil conditions. 
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Appendix A 



Tlicsis Questionnaire - Coniputcr l\".ssw'ord Characteristics 



iproving dlcciivc infonnation system security is a continuing problem. Passwords arc widely used 
control access to information systems. Tlie purpose of the questionnaire is to generate sample data 
the chartictcristics of user generated passwords at the NFS. 1 do not waitt to know your password, 
ly certain characteristics about it. The resulting data will be used to create a new form of passwords 
at arc dillicult to guess. 



DTI:; 

'cn if vou arc not a computer user or do not use the computer frequently your response to tliis 
lestionnaire will still provide us witli important information. 



\RT A: Personal Information 
Age : 

Sc.x ( circle one ') : Male female 



Curriculum ( Siudcitts ) : 
or 

Department ( faculty ) : 



I'AR'l P>: 



Passwon.! Charactc; istics f Plea-.-c do r.ct reveal y< ar pas' "''ad !1 ) 



Do you use the NFS n ainframc system ( circle one i ; 

No 

'I'cs 

If no, please return this questionnaire anew,;.', I:\cn i! >i.'U d<' not .n the NPh s’osteri. 
we appreci. te completed returns to this . 

If yes. please continiie. 

i How mans cliaractcrs aic in soar p :s v ; . 



A - 2 



3. Mow did you choose your password ( circle one )? 

A. A meaningful detail. ( e.g., name, date, street ) 

B. A combination of meaningful details. ( e.g., Billl989, 4junc63 ) 

C. A pronoucable password. ( e.g., onc4you, 2Bfree ) 

D. A random combination of characters. ( e.g., carS&, dUCk’-'?+ ) 

E. Other (please specify). 

4. What arc the characteristics of your password ( circle one ) ? 

A. Alphabetic ( e.g., abdc, ERTIS ) . 

B. Numeric { e.g., 1234, 5879 ). 

C. Alphanumeric ( e.g.. a34d, fo67"i’l ). 

D. ASCII ( e.g., cd!Yx, Acl + tf. ). 

5. Have you ever had difliculty remembering youi’ passwords ( circle one j ? 

No 

Yes 

6. \'cry often, computer users find it convenient to write down their 
password (or one those vinfortunatc times wlicn tlicy forget it. 

Do you also practice this ( circle one ) '! 

'I'es 

No 

If so. where do you write it dowir ( users manual, calendar 
book, notel'>ook. keyboard, on something in your wallet ) ? 

where 

7. Ilow often did'do you change your password ( circle one ) ? 

A. Ncner 

B. L css than once a year 

C. I'p tc- three times a year 

D. I'oui to six times a year 

E. About once c'.'ery month 
r. .More th.an once a moiitii 




A - 3 



guessed by somconf you felt it l,ad been 

Ves 
\o 

Ifso, Wl.a. led you to believe it had been guessed ? 




are y„„r data ( „l,a 

1 0 T 



It pioblenis would result ifr 



5 



Non- 
Sensiti\e 
(nothing 
to hide) 



M odei atei\' 

Sejisiti'.e 

(niildlv 



\-cn- 
Sensitive 



cmbarrassine) personally 

" the orgtunzation) 



'■ “"r<" >a,u arc y our dt,ta ( hose vital r 



•tie _\our data ) ( dicle one ) ? 



1 



a 



3 



d 



Non- 

^'ital 

not iinponant. 

ould nci! niis'_ 
ife would g.- onj 



Moderately 

\'ital 



1 lighly 
Vital 

(thesis, rcseaicj) 
results; 



M hen using a computer svstem. Iroin uhere do 
A. Private oflice at NPS 
Ih Home 



>ou normally work ( circle one 






C. Public terminal at NPS 
Other < please speen'v j 



CUiCO ) 



A - 4 



12. Ilow often do you log on to the i\TS mainframe (or other NPS system ) (circle one )? 

A. Never 

B. Annually 

C. Quarterly 

D. At least once a montlr 
n. Several times a month 

F. At least once a week 

G. Several times a week 
11. At least once a day 
1. Several times a day 

13. Do you use any non-NFS computer systems which require tlie use of a password ( circle one ) ? 

Yes 

No 

14. Do vou use the same NFS password on iron- NFS svstems ( cirele one ) ? 

h'es 

No 

Fleasc pla^c completed questionnaire in the self-addressed envelope 
provided and return as soon as possible. 

Thank you for your cooperation,. 



Numbor of Rssponcionls 




Figure ]; Kumber of characiers in password.v 



lumber of Respondents 



600 



650 - 
500 
450 - 
400 - 
350 - 
300 - 
250 - 
200 - 
^ 150 - 
100 - 

50 - 

( 

0-r 



65 . 2 % 




Basis of Choosing Password 



Figure 2: Basis of choosing a password 



Number of Respondents 




Structure of Password Characteristics 



I-i<:ure 3: 



Slruciurc of pas^woit! 



Percent of Respondents 



45 



42 . 1 % 




Location of Written Password 



! 



Figure 4: Locaiion where passwords were written 




Number of Respondents 
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350- 
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79.6% 




Never 



14.9 




^ — I I 

Annually 1 to 3/yr 4 to 8/yr Monthly 

Frequency of Password Changes 



0 . 2 % 

>Monthty 



I'ieiire 5: 



reqiicncv of clianginj: pa,‘'V.vor(.lv 



Selection of Statistical Tests 


Data Level of 




Data Level of | 




Variables 


Test Used 


Variables ! 


Test Used 


Dichotomous 


T-test 


i 

Ordinal X 


Analysis of 


X Interval 




Interval 


Variance 


Dichotomous 


Cramer's V 


Ordinal X 


Kruskal- 


X Nominal 




Nominal 


Wallis 

1 . f 


Dichotomous 


Mann-Whltney U 


Ordinal X 


1 1 
1 Spearman's i 


X Ordinal 




Ordinal 


1 Rho ! 


Dichotomous 
X Dichotomous 


Chi-squared 




! 1 

1 1 

1 i 



Table 1: 



Selection of sttttislical tests 



Do you write down your password? 


Variable 


Level of 
Measure 


Test 


Test 

Value 


Proba- 

bility 


Reject Null 
Hypothesis 


Number 


Interval 


T-test 


-.20 


.839 


No 


Password 


Nominal 


Cramer's V 


.1194 


.0065 


Yes 


Chosen 


Nominal 


Cramer's V 


.0875 


.1584 


No 


Change 


Ordinal 


Mann-Whitney 


65872 


.9899 


No 


Remember 


Dichotomous 


Chi-squared 


38.45 


.0000 


Yes 


Log on 


Ordinal 


Mann-Whitney 


49783 


.0000 


Yes 



Table 2; 



Association of writing down passwords 
witli other password variables 



Do you have difficulty remembering a password? 


Variable 


Level of 
Measure 


Test 


Test 

Value 


Proba- 

bility 


Reject Null 
Hypothesis 


Number 


Interval 


T-test 


-.38 


.706 


No 


Password 


Nominal 


Cramer's V 


.1131 


.01 10 


Yes 


Chosen 


Nomina) 


Cramer's V 


.1221 


.0121 


Yes 


Log on 


Ordinal 


Mann-Whitney 


26269 


.0214 


Yes 


Change 


Ordinal 


Mann-Whitney 


253G3 


.0000 


Yes 


Same 


Dichotomous 


Chl-squared 


1 

1.475 1 .2245 


No 



Tabic 3; 



Association of difficulty to remember passwords 
with other ptissword varittblcs 



Was your password guessed? 


Variable 


Level of 
Measure 


Test 


Test 

Value 


Proba- 

bility 


Reject Null 
Hypothesis 


Write 


Dichotomous 


Chi-squared 


.5280 


.4674 


No 


Number 


Interval 


T-test 


-1.27 


.204 


No 


Password 


Nominal 


Cramer’s V 


.1445 


.0004 


Yes 


Chosen 


Nominal 


Cramer's V 


.0935 


.1145 


No 


Log on 


Ordinal 


Mann-Whitney 


985.5 


.4677 


No 


Change 


Ordinal 


Mann-Whitney 


64125 


.0000 


Yes 


Work 


Nominal 


Cramer’s V 


1 

.2138 1 .0000 


Yes 



Table 4; 



Association of passwords predictability 
with other password varialdes 



How important are your data? 


Variable 


Level of 
Measure 


Test 


Test 

Value 


Proba- 

bility 


Reject Null 
Hypothesis 


Write 


Dichotomous 


Mann-Whitney 


55157 


.0020 


Yes 


Number 


Interval 


ANOVA 


.480 


.787 


No 


Password 


Nominal 


Kruskal-Wallis 


8.073 


.0889 


No 1 


Chosen 


Nominal 


Kruskal-Wallis 


12.98 


.0114 


Yes 


Change 


Ordinal 


Spearman's Rho 


.1916 


.0000 


Yes 


Work 


Nominal 


1 

1 Kruskal-Wallis 


91 .79 


.0000 


1 Yes 



Association of imj'ortant data IV, ls 
with other password variables 



Table 5: 



How sensitive are your data? 


Variable 


Level of 
Measure 


Test 


Test 

Value 


Proba- 

bility 


Reject Null 
Hypothesis 


Write 


Dichotomous 


Mann-Whitney 


64272 


.8915 


No 


Number 


Interval 


ANOVA 


1.388 


.236 


No 


Password 


Nominal 


Kruskal-Wallls 


2.886 


.5771 


No 


Chosen 


Nominal 


Kruskal-Wallls 


7.264 


.1226 


No 


Change 


Ordinal 


Spearman's Rho 


.1544 


.0000 


Yes 


Work 


Nominal 


Kruskal-Wallis 


29.13 


.0000 


Yes 



Table 6 : 



Association of sensitive data files 
with other password variables 
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